Community discussions

 
User avatar
breadgreen
just joined
Topic Author
Posts: 11
Joined: Sun Nov 06, 2016 4:52 pm
Location: Kazakhstan
Contact:

CAPSMAN + Guest WiFi

Wed Oct 11, 2017 12:54 pm

i have a main device RB3011UiAS, and i decided to create a capsman network in our office, and we need two SSID's, first main wlan for private needs with hidden wifi network, and second for guest, customers and other who come to our office.

So, i created and configured CAPSMAN propely
Image
Image

Set up DHCP for both networks, and create two bridge interfaces for private and guest network,
Image
Image
Image

But i stucked in the one thing. When i connect to the private network, it's ok, i've got an ip address and have a n internet access, but when i tryed to connect to guest network, i also get ip address, but no internet access, and also i can't ping my router from the connected device.
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: CAPSMAN + Guest WiFi

Wed Oct 11, 2017 3:35 pm

When i connect to the private network, it's ok, i've got an ip address and have a n internet access, but when i tryed to connect to guest network, i also get ip address, but no internet access, and also i can't ping my router from the connected device.
I assume you mean the internet router plugged to the CAPsMAN controller? If so, check that masquerade applies equally for both networks (e.g. is applied on the out-interface criteria.)

Can the open network client ping gateway IP handed out by DHCP (10.35.0.1, watch out you set it as a /32)?

Exporting the relevant sections (DHCP, IP Addresses, IP Firewall, Routes, etc.) and c&p here will help, pictures are barely readable and don't include all the relevant details.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
breadgreen
just joined
Topic Author
Posts: 11
Joined: Sun Nov 06, 2016 4:52 pm
Location: Kazakhstan
Contact:

Re: CAPSMAN + Guest WiFi

Wed Oct 11, 2017 7:43 pm

thx for you answer, sorry for poor quality of picture, here is a config, i hope it'll help. My knowledge is not so deep, i don't know which info i need to share :)

https://www.dropbox.com/s/17lhcv7dqc47d3a/1.rsc?dl=0
 
User avatar
breadgreen
just joined
Topic Author
Posts: 11
Joined: Sun Nov 06, 2016 4:52 pm
Location: Kazakhstan
Contact:

Re: CAPSMAN + Guest WiFi

Thu Oct 12, 2017 7:18 am

i suspect that the problem hiding in the bridge section or NAT section, but i'm not sure
 
User avatar
karlisi
Member Candidate
Member Candidate
Posts: 250
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

Re: CAPSMAN + Guest WiFi

Thu Oct 12, 2017 10:56 am

Next time don't post sensitive data, like passwords, publicly.
Disable this nat rule and check if problem is resolved
add action=masquerade chain=srcnat out-interface=bridgeopen src-address=\
    10.35.0.0/24
---
Karlis
 
User avatar
breadgreen
just joined
Topic Author
Posts: 11
Joined: Sun Nov 06, 2016 4:52 pm
Location: Kazakhstan
Contact:

Re: CAPSMAN + Guest WiFi

Thu Oct 12, 2017 11:02 am

oops ) thx for your advice. But your solution doesn't work, cause i've already tryed this way
 
User avatar
breadgreen
just joined
Topic Author
Posts: 11
Joined: Sun Nov 06, 2016 4:52 pm
Location: Kazakhstan
Contact:

Re: CAPSMAN + Guest WiFi

Sat Oct 14, 2017 8:44 am

/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=channel1 tx-power=20
/interface bridge
add name=bridge
add name=bridgeopen
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=\
    datapath1
add bridge=bridge client-to-client-forwarding=yes name=datapath2
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=security1 passphrase=ch153privatewifi
add name=open
/caps-man configuration
add channel=channel1 country=kazakhstan datapath=datapath1 hide-ssid=yes \
    mode=ap name=cfg1 rx-chains=0,1,2 security=security1 ssid=amid-private \
    tx-chains=0,1,2
add channel=channel1 country=kazakhstan datapath=datapath2 mode=ap name=\
    cfgopen rx-chains=0,1,2 security=open ssid=amid tx-chains=0,1,2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec policy group
set [ find default=yes ] name=group1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=\
    aes-256-cbc,aes-128-cbc,3des lifetime=8h pfs-group=none
/ip pool
add name=lan-local ranges=192.168.10.130-192.168.10.199
add name=guestwifi ranges=10.35.0.2-10.35.0.254
/ip dhcp-server
add address-pool=lan-local authoritative=after-2sec-delay disabled=no \
    interface=bridge lease-time=1h name=lan-local
add address-pool=guestwifi disabled=no interface=bridgeopen name=guestwifi
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,gn \
    master-configuration=cfg1 slave-configurations=cfgopen
/interface bridge port
add bridge=bridge interface=ether4-server
add bridge=bridge interface=ether5-lan-server
add bridge=bridge interface=ether7-lan-1stfloor
add bridge=bridge interface=ether8-lan-2ndfloor
add bridge=bridge interface=ether9-lan-conf
add bridge=bridge interface=ether10-ip-pbx
add bridge=bridge interface=ether6-lan-ipcam
/ip address
add address=192.168.10.1/24 interface=bridge network=192.168.10.0
add address=192.168.12.1/24 interface=ether6-lan-ipcam network=192.168.12.0
add address=10.35.0.1 interface=bridgeopen network=10.35.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether3-zyxel-lte
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.10.35.0/24 list=lan-route-exclude-IP
add address=192.168.40.0/24 list=lan-route-exclude-IP
add address=192.168.10.0/24 list=lan-route-exclude-IP
add address=192.168.12.0/24 list=lan-route-exclude-IP
add address=192.168.20.0/24 list=lan-route-exclude-IP
add address=192.168.30.0/24 list=lan-route-exclude-IP
add address=192.168.100.0/24 list=lan-route-exclude-IP
add address=192.168.110.0/24 list=lan-route-exclude-IP
add address=192.168.120.0/24 list=lan-route-exclude-IP
add address=192.168.130.0/24 list=lan-route-exclude-IP
add address=192.168.200.0/24 list=lan-route-exclude-IP
add address=192.168.10.0/24 list=ISP1-client
add address=10.10.45.0/24 list=ISP2-client
add address=10.65.0.0/24 list=lan-route-exclude-IP
add address=10.66.0.0/19 list=lan-route-exclude-IP
add address=10.66.7.0/24 list=lan-route-exclude-IP
add address=10.65.0.2 list=lan-route-exclude-IP
add address=192.168.99.0/24 list=lan-route-exclude-IP
add address=66.220.144.0/21 comment=facebook disabled=yes list=block-facebook
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=input dst-port=53 in-interface=pppoe-ISP1 protocol=udp
add action=accept chain=input protocol=gre
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=udp src-port=4500
add action=accept chain=input dst-port=5060 protocol=udp src-port=5060
add action=accept chain=input dst-port=1723 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=pppoe-ISP2 protocol=udp
add action=drop chain=input dst-port=53 in-interface=pppoe-ISP1 protocol=tcp
add action=drop chain=input dst-port=53 in-interface=pppoe-ISP2 protocol=tcp
add action=jump chain=forward connection-state=new disabled=yes jump-target=\
    block-ddos
add action=return chain=block-ddos disabled=yes dst-limit=\
    50,50,src-and-dst-addresses/10s
add action=accept chain=input src-address=127.0.0.1
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=\
    !lan-route-exclude-IP new-routing-mark=ISP1-out passthrough=yes \
    src-address-list=ISP1-client
add action=mark-routing chain=prerouting dst-address-list=\
    !lan-route-exclude-IP new-routing-mark=ISP2-out passthrough=yes \
    src-address-list=ISP2-client
add action=mark-connection chain=input comment=\
    "Mark input connection from ISP1" in-interface=pppoe-ISP1 \
    new-connection-mark=ISP1-cin passthrough=yes
add action=mark-connection chain=input comment=\
    "Mark input connection from ISP2" in-interface=pppoe-ISP2 \
    new-connection-mark=ISP2-cin passthrough=yes
add action=mark-routing chain=output comment=\
    "Mark output connection for routing mark to ISP1" connection-mark=\
    ISP1-cin new-routing-mark=ISP1-out passthrough=yes
add action=mark-routing chain=output comment=\
    "Mark output connection for routing mark to ISP2" connection-mark=\
    ISP2-cin new-routing-mark=ISP2-out passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=ISP1 out-interface=pppoe-ISP1
add action=masquerade chain=srcnat comment=ISP2 out-interface=pppoe-ISP2
add action=netmap chain=dstnat dst-port=3389 in-interface=pppoe-ISP1 \
    protocol=tcp to-addresses=192.168.10.90 to-ports=3389
add action=netmap chain=dstnat dst-port=8000 in-interface=pppoe-ISP1 \
    protocol=tcp to-addresses=192.168.12.10 to-ports=8000
add action=netmap chain=dstnat dst-port=8000 in-interface=pppoe-ISP1 \
    protocol=udp to-addresses=192.168.12.10 to-ports=8000
add action=netmap chain=dstnat dst-port=10000-65000 in-interface=pppoe-ISP2 \
    protocol=udp to-addresses=192.168.10.15 to-ports=10000-65000
add action=netmap chain=dstnat dst-port=10000-65000 in-interface=pppoe-ISP1 \
    log=yes protocol=udp to-addresses=192.168.10.15 to-ports=10000-65000
add action=netmap chain=dstnat comment=IDPHONE dst-port=5060 in-interface=\
    pppoe-ISP1 protocol=udp to-addresses=192.168.10.15 to-ports=5060
add action=netmap chain=dstnat comment=IDPHONE dst-port=5060 in-interface=\
    pppoe-ISP2 protocol=tcp to-addresses=192.168.10.15 to-ports=5060
add action=netmap chain=dstnat comment=IDPHONE dst-port=5060 in-interface=\
    pppoe-ISP2 protocol=udp to-addresses=192.168.10.15 to-ports=5060
/ip ipsec peer
add dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des exchange-mode=\
    main-l2tp generate-policy=port-override secret=1234
/ip route
add comment="Out route over pppoe-ISP1" distance=1 gateway=\
    82.200.242.218%pppoe-ISP1 routing-mark=ISP1-out
add comment="Out route over pppoe-ISP2" distance=2 gateway=\
    82.200.242.218%pppoe-ISP2 routing-mark=ISP2-out
add comment=Default distance=1 gateway=pppoe-ISP1
add distance=1 gateway=ether3-zyxel-lte
add distance=1 dst-address=8.8.4.4/32 gateway=pppoe-ISP2
add distance=1 dst-address=8.8.8.8/32 gateway=pppoe-ISP1
add distance=1 dst-address=192.168.20.0/24 gateway=10.10.35.20
add distance=1 dst-address=192.168.30.0/24 gateway=10.10.35.30
add distance=1 dst-address=192.168.40.0/24 gateway=10.10.35.40
add distance=1 dst-address=192.168.99.0/24 gateway=l2tp-breadgreen
add distance=1 dst-address=192.168.100.0/24 gateway=10.10.35.100
add distance=1 dst-address=192.168.110.0/24 gateway=10.10.35.110
add distance=1 dst-address=192.168.120.0/24 gateway=10.10.35.120
add distance=1 dst-address=192.168.130.0/24 gateway=10.10.35.130
 
User avatar
pukkita
Trainer
Trainer
Posts: 2982
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: CAPSMAN + Guest WiFi

Sat Oct 14, 2017 2:37 pm

You seem to miss the IP > DHCP > Network entries.

Also I think for your intended setup
add address=10.35.0.1 interface=bridgeopen network=10.35.0.0
Should be
add address=10.35.0.1/24 interface=bridgeopen network=10.35.0.0
.

Do clients connected to the open network:

1.- Get an IP?
2.- post ipconfig/all or ifconfig & cat /etc/resolv.conf on a open client
3.- post a netstat -rn on an open client
4.- ping 10.35.0.1 fine?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
breadgreen
just joined
Topic Author
Posts: 11
Joined: Sun Nov 06, 2016 4:52 pm
Location: Kazakhstan
Contact:

Re: CAPSMAN + Guest WiFi

Mon Oct 16, 2017 6:31 am

pukkita, thank you very much. You was right, my mistake was ridiculous. I've just add "/24" to 10.35.0.0 and guest wifi works! i so dumb....
 
apetrov1x5
newbie
Posts: 25
Joined: Sat Jul 08, 2017 10:19 pm

Re: CAPSMAN + Guest WiFi

Wed Oct 09, 2019 10:12 am

thx for you answer, sorry for poor quality of picture, here is a config, i hope it'll help. My knowledge is not so deep, i don't know which info i need to share :)

https://www.dropbox.com/s/17lhcv7dqc47d3a/1.rsc?dl=0
Your setup is not availale anymore on dropbox...I was hoping to use it as a template.

I had a RB2011 with private (hidden) and guest wlan and am trying to set up CAPsMAN hoping to keep both private and guest networks.

Anyone knows a good tutorial please? I followed the one from Mikrotik wiki, but it describes how to set one wlan only
 
Joe1vm
just joined
Posts: 22
Joined: Sat Apr 06, 2013 4:07 pm

Re: CAPSMAN + Guest WiFi

Wed Oct 09, 2019 2:43 pm

Hello,
https://www.youtube.com/watch?v=Q9h00PYEzQM
Personally, this video helped me a lot in the past....
 
apetrov1x5
newbie
Posts: 25
Joined: Sat Jul 08, 2017 10:19 pm

Re: CAPSMAN + Guest WiFi

Tue Oct 15, 2019 4:57 pm

Hello,
https://www.youtube.com/watch?v=Q9h00PYEzQM
Personally, this video helped me a lot in the past....
Many thanks for very useful video. I tried to follow these instructions, but only get success on main wi-fi network. Guest network no internet. I also tried the tutorial from wiki with even less success. Can someone please help me setup capsman?
 
mkx
Forum Guru
Forum Guru
Posts: 2971
Joined: Thu Mar 03, 2016 10:23 pm

Re: CAPSMAN + Guest WiFi

Tue Oct 15, 2019 8:01 pm

I'll assume you want to set up a virtual AP to run guest WiFi and that you'll use VLANs to separate traffic of both APs between each other.

So the setup steps are more or less the following:
  1. in /caps-man datapath create two datapaths appropriate for both traffic sources (VAPs). Set appropriate properties, such as vlan-mode=use-tag vlan-id=<VID>
  2. in /caps-man security create two security profiles with appropriate settings (authentication and encryption types, PSK if used, ...), one for each VAP
  3. in /caps-man configuration create two configuration sets appropriate for each VAP as if they were independent. One of properties that can be defined is channels= ... I'm not sure if defining it in a configuration that is used for slave wireless interface throws an error, but defining it in this case doesn't make sense anyway
    Leaving out this part means CAP can use any supported&allowed channel which often is just fine.
  4. in /caps-man provisioning everything is then put in place:
    add action=create-dynamic-enabled master-configuration=<name-of-master-configuration> slave-configurations=<name-of-slave-configuration>
    
    Property name (slave-configurations) hints at possibility to use several slave configurations to create several VAPs on same physical AP... I never tried to run more than one VAP on CAP, but I assume value of this property should be comma-separated list of configuration names.
BR,
Metod
 
apetrov1x5
newbie
Posts: 25
Joined: Sat Jul 08, 2017 10:19 pm

Re: CAPSMAN + Guest WiFi

Wed Oct 16, 2019 12:23 pm

I'll assume you want to set up a virtual AP to run guest WiFi and that you'll use VLANs to separate traffic of both APs between each other.

So the setup steps are more or less the following:
  1. in /caps-man datapath create two datapaths appropriate for both traffic sources (VAPs). Set appropriate properties, such as vlan-mode=use-tag vlan-id=<VID>
  2. in /caps-man security create two security profiles with appropriate settings (authentication and encryption types, PSK if used, ...), one for each VAP
  3. in /caps-man configuration create two configuration sets appropriate for each VAP as if they were independent. One of properties that can be defined is channels= ... I'm not sure if defining it in a configuration that is used for slave wireless interface throws an error, but defining it in this case doesn't make sense anyway
    Leaving out this part means CAP can use any supported&allowed channel which often is just fine.
  4. in /caps-man provisioning everything is then put in place:
    add action=create-dynamic-enabled master-configuration=<name-of-master-configuration> slave-configurations=<name-of-slave-configuration>
    
    Property name (slave-configurations) hints at possibility to use several slave configurations to create several VAPs on same physical AP... I never tried to run more than one VAP on CAP, but I assume value of this property should be comma-separated list of configuration names.
many thanks for the above!

This is what I tried more or less by using the wiki tutorial: https://wiki.mikrotik.com/wiki/Manual:C ... with_VLANs
however, 2 issues for me there: first I don't know which of 2 types described there are aplicable to me (local forwarding or capsman forwarding) - this is my home setup where i what one master wifi for me and one slave network for guest, home apliencies etc (so they need only access to internet but not to each other or my home network).

And second issue is that when I follow the tutorial with VLANs I never can get CAPs to acctually appear in the caps menu, even I have ticked Enable option for each.

I will try of course to find my mistake, but would be good to know which type of setup I need to apply to my case described above.
 
mkx
Forum Guru
Forum Guru
Posts: 2971
Joined: Thu Mar 03, 2016 10:23 pm

Re: CAPSMAN + Guest WiFi

Wed Oct 16, 2019 4:33 pm

however, 2 issues for me there: first I don't know which of 2 types described there are aplicable to me (local forwarding or capsman forwarding)

Generally local forwarding is more resource friendly for both CAP and CAPsMAN devices. It is about how the data from wireless get flushed to network ... locally to CAP or via CAPsMAN device. If you're configuring VLANs, then with local forwarding you have to configure VLANs on all LAN boxes between CAP device and CAPsMAN device. With capsman forwarding you don't have to do that as there's a tunnel built between both devices and intermediate boxes are not aware of anything fancy, but CAP and CAPsMAN devices have to encrypt/decrypt all the traffic flowing through that tunnel.
BR,
Metod
 
apetrov1x5
newbie
Posts: 25
Joined: Sat Jul 08, 2017 10:19 pm

Re: CAPSMAN + Guest WiFi

Fri Oct 18, 2019 8:58 am

however, 2 issues for me there: first I don't know which of 2 types described there are aplicable to me (local forwarding or capsman forwarding)

Generally local forwarding is more resource friendly for both CAP and CAPsMAN devices. It is about how the data from wireless get flushed to network ... locally to CAP or via CAPsMAN device. If you're configuring VLANs, then with local forwarding you have to configure VLANs on all LAN boxes between CAP device and CAPsMAN device. With capsman forwarding you don't have to do that as there's a tunnel built between both devices and intermediate boxes are not aware of anything fancy, but CAP and CAPsMAN devices have to encrypt/decrypt all the traffic flowing through that tunnel.
Thank you!

UPDATE:

I have managed to get the capsman work on my home setup which is a rb2011 as manager and 2 caps. I have wifi on both caps but for some reason I cannot make work the wireless on my manager RB2011

Where should I look to start checking please?
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 25 guests